GHSA-rvmq-4x66-q7j3

Опубликовано: 27 июл. 2020

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 8.8

Описание

Remote code execution (RCE) in Apache Airflow

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

Ссылки

Пакеты

Наименование

apache-airflow

pip

Затронутые версииВерсия исправления

< 1.10.11rc1

1.10.11rc1

EPSS

Процентиль: 100%

0.94272

Критический

8.7 High

CVSS4

8.8 High

CVSS3

CVE ID

CVE-2020-11978

Дефекты

CWE-77

CWE-78

Связанные уязвимости

CVE-2020-11978

CVSS3: 8.8

nvd

больше 5 лет назад

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

CVE-2020-11978

CVSS3: 8.8

debian

больше 5 лет назад

An issue was found in Apache Airflow versions 1.10.10 and below. A rem ...

BDU:2022-00709

CVSS3: 8.8

fstec

больше 5 лет назад

Уязвимость программного обеспечения создания, мониторинга и оркестрации сценариев обработки данных Airflow, связанная с непринятием мер по нейтрализации специальных элементов используемых в команде ОС, позволяющая нарушителю выполнить произвольные команды с привилегиями суперпользователя

EPSS

Процентиль: 100%

0.94272

Критический

8.7 High

CVSS4

8.8 High

CVSS3

CVE ID

CVE-2020-11978

Дефекты

CWE-77

CWE-78